Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Creating a CSIRT Page 1
CERT® Coordination CenterNetworked Systems SurvivabilitySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
© 2003 Carnegie Mellon University® CERT, CERT Coordination Center, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office
EDUCAUSE 2003:Creating a Computer Security Incident Response Team (CSIRT)
Robin RuefleCERT® CSIRT Development TeamNovember 4–7
© 2003 Carnegie Mellon University - slide 2Creating a CSIRT
© Carnegie Mellon University 2003.
This work is the intellectual property of Carnegie Mellon University. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from Carnegie Mellon.
Creating a CSIRT Page 2
© 2003 Carnegie Mellon University - slide 3Creating a CSIRT
Imagine...
...that one of the most critical systems for your institution has been compromised and sensitive or proprietary data has been accessed, deleted, or modified…
© 2003 Carnegie Mellon University - slide 4Creating a CSIRT
Incident Reports are Increasing
Creating a CSIRT Page 3
© 2003 Carnegie Mellon University - slide 5Creating a CSIRT
Current Situation
Today we see• a general increase in the number and type of
organizations being affected by computer security incidents
• a decrease in the amount of time to respond• a more focused awareness by organizations on the need
for security policies and practices as part of their overall risk-management strategies
• new laws and regulations that affect how organizations are required to protect information assets
• the realization that systems and network administrators alone cannot protect organizational systems and assets
© 2003 Carnegie Mellon University - slide 6Creating a CSIRT
Why Are We Here?
Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen.• When computer security incidents occur, it will be critical
for an organization to have an effective means of responding.
• The speed with which an organization can recognize, analyze, and respond to an incident will limit the damage done and lower the cost of recovery.
Creating a CSIRT Page 4
© 2003 Carnegie Mellon University - slide 7Creating a CSIRT
What Can Be Done?
As a defense against Internet security threats, organizations can• keep up to date with the latest operating system patches
and product updates • install perimeter and internal defenses such as routers,
firewalls, scanners, and intrusion detection systems• update and expand computer security policies and
procedures• provide security awareness training to employees,
customers, and constituents• create an organizational CSIRT
© 2003 Carnegie Mellon University - slide 8Creating a CSIRT
What is a CSIRT?
An organization or team that provides services and support, to a defined constituency, for preventing, handling and responding to computer security incidents
Creating a CSIRT Page 5
© 2003 Carnegie Mellon University - slide 9Creating a CSIRT
What Does a CSIRT Do?
In general a CSIRT • provides a single point of contact for reporting local problems• identifies and analyzes what has happened including the impact
and threat• researches solutions and mitigation strategies• shares response options, information, and lessons learned
A CSIRT’s goal is to • minimize and control the damage• provide or assist with effective response and recovery• help prevent future events from happening
No single team can be everything to everyone!
© 2003 Carnegie Mellon University - slide 10Creating a CSIRT
Benefits of a CSIRT
Reactive• focused response effort• more rapid, standardized, and coordinated response• stable cadre of staff with incident handling expertise,
combined with functional business knowledge• collaboration with others in security community
Proactive• enabler of organizational business goals• supplier of authentic risk data and business intelligence• input into product development cycle or network operations• assistance in performing vulnerability assessments and
development of security policies
Creating a CSIRT Page 6
© 2003 Carnegie Mellon University - slide 11Creating a CSIRT
Process versus Technology
Incident Handling is not just the application of technology to resolve computer security events.
It is the development of a plan of action, a response plan that• integrates into the existing processes and organizational structures • strengthens and improves the capability of the constituency to
effectively manage computer security events• is part of an overall strategy to protect and secure critical business
functions and assets.
It is the establishment of processes for• notification and communication• collaboration and coordination• analysis and response
© 2003 Carnegie Mellon University - slide 12Creating a CSIRT
Creating an Effective CSIRT
To be effective, a CSIRT requires four basic elements• an operational framework • a service and policy framework • a quality assurance framework • the capability to adapt to a changing environment and
changing threat profiles
Creating a CSIRT Page 7
© 2003 Carnegie Mellon University - slide 13Creating a CSIRT
Building Your Vision
© 2003 Carnegie Mellon University - slide 14Creating a CSIRT
Basic Implementation Steps• Get approval and support from
management.
• Identify who will need to be involved.
• Have an announcement sent out by management.
• Select a project team.
• Collect information. - Research what other
organizations are doing.
- Identify existing processes and workflows.
- Interview key stakeholders and participants.
• With input from stakeholders, determine- CSIRT mission- CSIRT range and levels of service- CSIRT reporting structure, authority,
and organizational model- identify interactions with key parts of
the constituency- define roles and responsibilities for
interactions.
• Create a plan based on the vision or framework.
• Obtain feedback on the plan.• Build CSIRT.• Announce CSIRT.• Get feedback.
Creating a CSIRT Page 8
© 2003 Carnegie Mellon University - slide 15Creating a CSIRT
Who Needs to Be Involved
Internal CSIRT• business managers• IT and telecommunications• legal counsel• human resources• public relations or media relations• physical security• risk management• law enforcement liaisons or investigations• general representatives from constituency
© 2003 Carnegie Mellon University - slide 16Creating a CSIRT
Where Do You Begin?What’s already in place – create a matrix of expertise• What expertise exists?• What tools and processes are already in place?
Brainstorm and discuss – design the workflow• What is the desired response and notification strategy?• What needs to be changed with the addition of a CSIRT?• How does the CSIRT fit into any disaster recovery or
business continuity plans?
Implementation – build staff and processes• Develop the interim plan.• Develop the long term plan.
Creating a CSIRT Page 9
© 2003 Carnegie Mellon University - slide 17Creating a CSIRT
Gather Information
Key information to gather includes• What needs does the constituency have?• What are the critical assets that must be protected?• What types of incidents are frequently reported?• What computer security problems exist?• What type of response is needed?• What assistance and expertise is needed?• What processes are required?• Who will perform what role?• Is anyone currently performing that role?• Who needs to be involved in the notification or
escalation processes?
© 2003 Carnegie Mellon University - slide 18Creating a CSIRT
Existing Resources That May Help
Available resources that may provide information• organization charts for the enterprise and specific
business functions• topologies for organizational or constituency systems
and networks• critical system and asset inventories • existing disaster recovery or business continuity plans• existing guidelines for notifying the organization of a
physical security breach• any existing incident response plans• any parental or institutional regulations
Creating a CSIRT Page 10
© 2003 Carnegie Mellon University - slide 19Creating a CSIRT
Achieve Consensus
Definition of CSIRT • mission• services• roles and responsibilities• authority• interactions
Definition of computer security incidents• classifications• priorities• escalation criteria
© 2003 Carnegie Mellon University - slide 20Creating a CSIRT
Range of CSIRT Services
Creating a CSIRT Page 11
© 2003 Carnegie Mellon University - slide 21Creating a CSIRT
Base Set of CSIRT ServicesReactive Services• alerts and warnings• incident handling- incident analysis- and at least one of the following: incident response resolution,
incident response support, incident response coordination
• vulnerability handling- vulnerability response coordination
Proactive Services• announcements
Security Quality Management Services• awareness building • security consulting – particularly developing security policies
© 2003 Carnegie Mellon University - slide 22Creating a CSIRT
CSIRT Organizational Models
• Security Team - incident handling is done ad hoc by those in the organization responsible for system and network infrastructures.
• Internal Distributed Team – utilizes existing staff to provide a “virtual” distributed CSIRT, formally chartered to deal with incident response activities.
• Internal Centralized Team – a centrally located, dedicated CSIRT that provides incident handling services.
• Combined Distributed and Centralized Team – a combination of the distributed CSIRT and the centralized CSIRT.
• Coordinating CSIRT – coordinates and facilitates the handling of incidents across a variety of internal or external organizations.
Creating a CSIRT Page 12
© 2003 Carnegie Mellon University - slide 23Creating a CSIRT
CSIRT Resources
Staff Skills• personal communication • technical• security and incident response
Equipment• office and test facilities• remote access and communications
Infrastructure• physical location and working space• protection of CSIRT data • secured systems and networks
© 2003 Carnegie Mellon University - slide 24Creating a CSIRT
Some Basic Requirements• incident reporting and tracking system• communications mechanisms- hotline or helpdesk- web site and/or ftp site- mailing distribution lists- cell phones and pagers
• secure communications mechanisms- PGP keys or digital certificates for signing CSIRT
documents and mailings- secure phones- intranets or extranets
• secured access to CSIRT facilities
Creating a CSIRT Page 13
© 2003 Carnegie Mellon University - slide 25Creating a CSIRT
Incident Reporting Guidelines
These guidelines define • how your constituency interacts with your CSIRT• what constitutes an incident• what types of incidents to report• who should report an incident• why an incident should be reported• the process for reporting an incident• the process for responding to an incident
For an example see the CERT/CC Incident Reporting Guidelines: http://www.cert.org/tech_tips/incident_reporting.html
© 2003 Carnegie Mellon University - slide 26Creating a CSIRT
Incident Handling MethodologyPrepare• security awareness training• notification lists• expertise matrix and non-
disclosures• original media and backups• patch, configuration, and
change management systems
Detect• network monitoring and
intrusion detection• constituency reports• public or private mailing lists• proactive scanning
Respond• verify• contain• notify• analyze• research• recover• follow-up
Improve• perform a post mortem• harden systems• update response policies and
procedures
Creating a CSIRT Page 14
© 2003 Carnegie Mellon University - slide 27Creating a CSIRT
There is No Single Recipe
There is no single recipe for creating a CSIRT.
It depends on your • needs and requirements • mission and goals• available resources and support
© 2003 Carnegie Mellon University - slide 28Creating a CSIRT
Common Problems
Failure to • include all involved parties• achieve consensus• develop an overall vision and framework• outline and document policies and procedures
Organizational battles
Taking on too many services
Unrealistic expectations or perceptions
Lack of time, staff, and funding
Creating a CSIRT Page 15
© 2003 Carnegie Mellon University - slide 29Creating a CSIRT
About that Incident…Ask Yourself
• How would your organization respond to this type of incident if it happened now?
• Who would respond? Who should respond? Who else needs to be involved?
• What would the response be?• Who makes these decisions?• How would you like your organization to respond?• What formalized processes do you need to put in
place?• What formalized personnel assignments do you need
to make?• What training do those involved require?
© 2003 Carnegie Mellon University - slide 30Creating a CSIRT
Resources That Can Help
• The Handbook for CSIRTs, Second Editionhttp://www.cert.org/archive/pdf/csirt-handbook.pdf
• The State of the Practice of CSIRTshttp://www.cert.org/archive/pdf/03tr001.pdf
• Creating a Computer Security Incident Response Team: A Process for Getting Startedhttp://www.cert.org/csirts/Creating-A-CSIRT.html
• Forming an Incident Response Teamhttp://www.auscert.org.au/render.html?it=2252&cid=1920
• Avoiding the Trial-by-Fire Approach to Security Incidentshttp://interactive.sei.cmu.edu/news@sei/columns/security_matters/1999/mar/security_matters.htm
• CERT Security Practice: Responding to Intrusionshttp://www.cert.org/security-improvement/modules/m06.html
Creating a CSIRT Page 16
© 2003 Carnegie Mellon University - slide 31Creating a CSIRT
Additional Resources
Relevant RFCs• Site Security Handbook
http://www.ietf.org/rfc/rfc2196.txt
• Expectations for Computer Security Incident Responsehttp://www.ietf.org/rfc/rfc2350.txt
• Internet Security Glossaryhttp://www.ietf.org/rfc/rfc2828.txt
• Guidelines for Evidence Collection and Archivinghttp://www.ietf.org/rfc/rfc3227.txt
© 2003 Carnegie Mellon University - slide 32Creating a CSIRT
And More Resources
Other Resources include:• The Center for Education and Research in Information
Assurance and Securityhttp://www.cerias.purdue.edu/
• Security Focus Incident Forumhttp://www.securityfocus.org/incidents
• The National Institute of Standards and Technology:Draft Computer Security Incident Handling Guidehttp://csrc.nist.gov/publications/drafts/draft_sp800-61.pdf
• The U.S. Department of JusticeComputer Crime and Intellectual Property Section (CCIPS)http://www.cybercrime.gov/
Creating a CSIRT Page 17
© 2003 Carnegie Mellon University - slide 33Creating a CSIRT
Contact Information
Robin RuefleCERT® CSIRT Development TeamNetworked Systems SurvivabilitySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
[email protected]://www.cert.org/csirts/+1 412 268-7090